NAT to set SSH proxy on local LAN between 2 subnets

  • Hi,

    I have testing environment, I need to proxy for ssh traffic on LAN.
    I need to set nat rule so when from ( I will ssh to ( 22), traffic will actually go to ( 2222) which is my ssh proxy server that will then ssh to the original host ( 22) without nat,
    traffic needs to get back on the same path, from the original ssh server ( to the proxy ( and then to (

    traffic is sequence is: –> 22 --(nat to)--> 2222 --(no nat) --> 2222

    return --(no nat)--> --(nat return) -->

    I added a virtual IP for the LAN interface so routing from to is going via the pfsense

    traceroute to (, 64 hops max, 52 byte packets
    1 (  0.489 ms  0.409 ms  0.258 ms
    2 (  0.364 ms  0.508 ms  0.500 ms

    but the nat rule I set is not working, I suspect it is not working on the return traffic from --> but I am not sure

    this is my rule - Shot 2014-11-25 at 11.05.54 PM.png?dl=0

    any advise ?


  • From what you've said about this, it seems you're trying to NAT traffic from an internal address via your firewall to another internal address ( -> NAT -> This is going to cause a routing problem, as you're NATing from internal to internal. You say that your host can redirect to without NAT - yet they're on different address ranges (I assume you're using a class C netmask, though you don't actually state this).

    You don't need NAT if you're passing traffic from one local host to another host. I can't quite see what you're trying to achieve, though perhaps a more detailed description of your network (with net masks, routes) and what you're aiming to ultimately do would be helpful.

  • you are right muswellhillbilly, the subnets are class c / 24

    my network is


    LAN - physical IP ( / 24) + virtual IP ( / 24)

            /  \

    I am trying to have the outgoing ssh connection go via proxy server
    so even that the IP that was typed is one that is reachable via the router route it will be shaped to a different IP and port 
    so when typing (from, the route needs to go via the psfense router ( that normally only needs to route it to the other virtual IP of the LAN (
    but what I need it that the pfsense will NAT this connection, and will send it to port 2222 (and not directly to port 22)

    hope this is more clear

  • Once more I'll say again that I can't see why you're NATing from one local address to another local address. You can just point your host directly to and have the host proxy/forward the request to You don't need NAT at all if your simply directing traffic from one local address to another.

  • i need that the user will type 'ssh root@' … so that the proxy will be transparent

Log in to reply